tomcat-users mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Tim Funk <funk...@joedog.org>
Subject Re: Tomcat5 and url tracking hijacking
Date Tue, 27 Jan 2004 14:41:27 GMT
yeah - you'd get that users session. Same problem with cookie hijacking.

Use https.

There is nothing defined by the spec to prevent this. (Except https)

-Tim

Marc Hughes wrote:
> Does tomcat 5 use some kind of mechanism to prevent session hijacking 
> when url session tracking is being used?  For instance, if someone posts 
> a url to a website with the tracking info in it, will anyone clicking on 
> that link pick up the original user's session (assuming it didn't time 
> out yet)?  If it does prevent this, how?
> 
> If anyone knows of any articles about keeping sessions safe, I'd love to 
> get pointed to those.
> 


---------------------------------------------------------------------
To unsubscribe, e-mail: tomcat-user-unsubscribe@jakarta.apache.org
For additional commands, e-mail: tomcat-user-help@jakarta.apache.org


Mime
View raw message